ccna exp4 - chapter04 - network security
TRANSCRIPT
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
1/139
Chapter 4 Network Security
CCNA Ex loration 4.0
Please purchase apersonal license.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
2/139
Introduction
Hc vin mng Bach Khoa - Website: www.bkacad.com
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
3/139
Why is Network Security Important?
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
4/139
Why is Network Security Important?
Hc vin mng Bach Khoa - Website: www.bkacad.com
Computer networks have grown in both size and importance in a veryshort time.
If the security of the network is compromised, there could be seriousconsequences, such as loss of privacy, theft of information, and evenlegal liability.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
5/139
The Increasing Threat to Security
Animation 4.1.1.2
Hc vin mng Bach Khoa - Website: www.bkacad.com
As shown in the figure, in 1985 an attacker had to have sophisticated
computer, programming, and networking knowledge to make use ofrudimentary tools and basic attacks. As time went on, and attackers' methods and tools improved, attackers no
longer required the same level of sophisticated knowledge. This has effectivelylowered the entry-level requirements for attackers.
People who previously would not have participated in computer crime are nowable to do so.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
6/139
Some of the Security Terms
White hat -An individual who looks for vulnerabilities insystems or networks and then reports these vulnerabilitiesto the owners of the system so that they can be fixed.
Hacker -A general term that has historically been used to
describe a computer programming expert. More recently,this term is often used in a negative way to describe anindividual that attempts to gain unauthorized access tonetwork resources with malicious intent.
Black hat -Another term for individuals who use theirknowledge of computer systems to break into systems ornetworks that they are not authorized to use, usually forpersonal or financial gain. A cracker is an example of a
Hc vin mng Bach Khoa - Website: www.bkacad.com
.
Cracker -A more accurate term to describe someone whotries to gain unauthorized access to network resourceswith malicious intent.
Phreaker -An individual who manipulates the phonenetwork to cause it to perform a function that is notallowed. A common goal of phreaking is breaking into thephone network, usually through a payphone, to make freelong distance calls.
Spammer -An individual who sends large quantities ofunsolicited e-mail messages. Spammers often use virusesto take control of home computers and use them to sendout their bulk messages.
Phisher -Uses e-mail or other means to trick others intoproviding sensitive information, such as credit cardnumbers or passwords. A phisher masquerades as atrusted party that would have a legitimate need for thesensitive information.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
7/139
Think Like a Attacker
Step 1 Perform footprint analysis (reconnaissance). Scan
information and build a picture of the security profile or"footprint" of the company.
Step 2
Enumerate information. An attacker can expand on the footprint by monitoringnetwork traffic with a packet sniffer such as Wireshark,finding information such as version numbers of FTPservers and mail servers.
Step 3 Manipulate users to gain access.
Step 4 Escalate privileges. After attackers gain basic access,
they use their skills to increase their network privileges. Step 5
Gather additional passwords and secrets. With improvedaccess privileges, attackers use their talents to gainaccess to well-guarded, sensitive information.
Step 6
Install backdoors. Backdoors provide the attacker with away to enter the system without being detected. Themost common backdoor is an open listening TCP or UDPport.
Step 7 Leverage the compromised system. After a system is
compromised, an attacker uses it to stage attacks onother hosts in the network.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
8/139
Types of Computer Crime
Insider abuse of network access Virus Mobile device theft Phishing where an organization is fraudulently
represented as the sender Instant messaging misuse Denial of service Unauthorized access to information Bots within the organization
Hc vin mng Bach Khoa - Website: www.bkacad.com
e o cus omer or emp oyee a a
Abuse of wireless network System penetration Financial fraud Password sniffing Key logging
Website defacement Misuse of a public web application Theft of proprietary information Exploiting the DNS server of an organization Telecom fraud Sabotage
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
9/139
Open versus Closed Networks
Hc vin mng Bach Khoa - Website: www.bkacad.com
The overall security challenge facing network administrators isbalancing two important needs: keeping networks open to support evolving business requirements and protecting private, personal, and strategic business
information.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
10/139
Open versus Closed Networks
Hc vin mng Bach Khoa - Website: www.bkacad.com
Open Access : An open security model is the easiest to implement . Simple passwords and server security become the foundation of this
model.
If encryption is used, it is implemented by individual users or on servers.
LANs, which are not connected to the Internet or public WANs, are more
likely to implement this type of model.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
11/139
Open versus Closed Networks
Hc vin mng Bach Khoa - Website: www.bkacad.com
Restrictive Access: A restrictive security model is more difficult to implement .
Firewalls and identity servers become the foundation of this model.
LANs, which are connected to the Internet or public WANs, aremore likely to implement this type of model.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
12/139
Open versus Closed Networks
Hc vin mng Bach Khoa - Website: www.bkacad.com
Closed Access: A closed security model is most difficult to implement. All available security
measures are implemented in this design.
This model assumes that the protected assets are premium, all users arenot trustworthy, and that threats are frequent.
Network security departments must clarify that they only implement thepolicy, which is designed, written, and approved by the corporation.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
13/139
Developing a Security Policy
Hc vin mng Bach Khoa - Website: www.bkacad.com
A security policy meets these goals:1. Informs users, staff, and managers of their obligatory
requirements for protecting technology and information assets2. Specifies the mechanisms through which these requirementscan be met
3. Provides a baseline from which to acquire, configure, andaudit computer systems and networks for compliance with thepolicy
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
14/139
Developing a Security Policy
ISO/IEC 27002 is intended to be a commonbasis and practical guideline for developingorganizational security standards andeffective security management practices.The document consists of 12 sections:
1. Risk assessment2. Security policy3. Organization of information
security4. Asset management
Hc vin mng Bach Khoa - Website: www.bkacad.com
.
6. Physical and environmentalsecurity7. Communications and operations
management8. Access control9. Information systems acquisition,
development, and maintenance
10. Information security incidentmanagement
11. Business continuity management12. Compliance
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
15/139
Common Securit Threats
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
16/139
Vulnerabilities
Hc vin mng Bach Khoa - Website: www.bkacad.com
Vulnerability is the degree of weakness which is inherent in every network anddevice. This includes routers, switches, desktops, servers, and even securitydevices.
There are three primary vulnerabilities or weaknesses:1. Technological weaknesses2. Configuration weaknesses
3. Security policy weaknesses
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
17/139
Vulnerabilities
Hc vin mng Bach Khoa - Website: www.bkacad.com
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
18/139
Threats to Physical Infrastructure
The four classes of physical threats are:1. Hardware threats -Physical damage to servers, routers,
switches, cabling plant, and workstations
2. Environmental threats -Temperature extremes (too hot ortoo cold) or humidity extremes (too wet or too dry)
3. Electrical threats -Voltage spikes, insufficient supply voltage(brownouts), unconditioned power (noise), and total power
Hc vin mng Bach Khoa - Website: www.bkacad.com
4. Maintenance threats -Poor handling of key electricalcomponents (electrostatic discharge), lack of critical spareparts, poor cabling, and poor labeling
Here are some ways to mitigate physical threats:
1. Hardware threat mitigation2. Environmental threat mitigation
3. Electrical threat mitigation
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
19/139
Physical Threat Mitigation
Hardware
Hc vin mng Bach Khoa - Website: www.bkacad.com
Environmental
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
20/139
Physical Threat Mitigation
Electrical
Hc vin mng Bach Khoa - Website: www.bkacad.com
Maintenance
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
21/139
Threats to Networks
Hc vin mng Bach Khoa - Website: www.bkacad.com
There are four primary classes of threats to network security:1. Unstructured Threats2. Structured Threats3. External Threats
4. Internal Threats
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
22/139
Unstructured threats
Hc vin mng Bach Khoa - Website: www.bkacad.com
Unstructured threats consist of mostly inexperienced individuals using easilyavailable hacking tools such as shell scripts and password crackers.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
23/139
Structured threats
Hc vin mng Bach Khoa - Website: www.bkacad.com
Structured threats come from hackers that are more highly motivated andtechnically competent.
These people know system vulnerabilities, and can understand and developexploit-code and scripts.
They understand, develop, and use sophisticated hacking techniques topenetrate unsuspecting businesses.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
24/139
External threats
Hc vin mng Bach Khoa - Website: www.bkacad.com
External threats can arise from individuals or organizations working outside ofa company. They do not have authorized access to the computer systems ornetwork.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
25/139
Internal threats
Hc vin mng Bach Khoa - Website: www.bkacad.com
Internal threats occur when someone has authorized access to the networkwith either an account on a server or physical access to the network.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
26/139
Social Engineering
The easiest hack involves no computer skill at all. If an intruder can tricka member of an organization into giving over valuable information, suchas the location of files or passwords, the process of hacking is mademuch easier. This type of attack is called social engineering, and it preyson personal vulnerabilities that can be discovered by talented attackers.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
27/139
Social Engineering
Phishing is a type of social engineering attack that involves using e-mail or other types ofmessages in an attempt to trick others into providing sensitive information, such as creditcard numbers or passwords. The phisher masquerades as a trusted party that has aseemingly legitimate need for the sensitive information.
Phishing attacks can be prevented by educating users and implementing reportingguidelines when they receive suspicious e-mail. Administrators can also block access tocertain web sites and configure filters that block suspicious e-mail.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
28/139
T es of Network Attacks
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
29/139
Types of Network Attacks
Animation 4.1.3.1
Hc vin mng Bach Khoa - Website: www.bkacad.com
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
30/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
- econa ssance ac s
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
31/139
Reconaissance Attacks
Animation 4.1.3.2 Reconnaissance is the unauthorized discovery and mapping of systems,
services, or vulnerabilities. It is also known as information gathering and,in most cases, it precedes another type of attack.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
32/139
Reconaissance Attacks
Network snoopingand packet sniffingare common terms foreavesdropping.
Eavesdropping is listening in to a conversation, spying, prying,or snooping.
Types of Eavesdropping
A common method for eavesdropping on communications is tocapture TCP/IP or other protocol packets and decode thecontents using a protocol analyzer or similar utility
2 common uses of eavesdropping are as follows:
Hc vin mng Bach Khoa - Website: www.bkacad.com
.
2. Information theft Tools Used to Perform Eavesdropping Network or protocol analyzers Packet capturing utilities on networked computers
Methods to Counteract Attacks
Implementing and enforcing a policy directive that forbids theuse of protocols with known susceptibilities to eavesdropping Using encryption that meets the data security needs of the
organization without imposing an excessive burden on thesystem resources or the users
Using switched networks
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
33/139
2- Access Attacks
Hc vin mng Bach Khoa - Website: www.bkacad.com
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
34/139
Access attacks
Hc vin mng Bach Khoa - Website: www.bkacad.com
Access attacks exploit known vulnerabilities in authentication services, FTP services,and web services to gain entry to web accounts, confidential databases, and othersensitive information.
Access attacks can consist of the following:
Password Attacks Trust Exploitation Port Redirection Man-in-the-middle Attack Social Engineering Phishing
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
35/139
Password Attacks
Hc vin mng Bach Khoa - Website: www.bkacad.com
Password attacks can be implemented using a packet sniffer to yield useraccounts and passwords that are transmitted as clear text.
Password attacks usually refer to repeated attempts to log in to a sharedresource, such as a server or router, to identify a user account, password, orboth.
These repeated attempts are called dictionary attacksor brute-force attacks. Password attacks can be mitigated by educating users to use long, complex
passwords.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
36/139
Password Attacks
A rainbow tablerainbow tablerainbow tablerainbow table is a lookuptable offering a time-memorytradeoff used in recovering
the plaintext password froma password hash generated bya hash function, often acryptographic hash function.
Dictionary Attacks
Hc vin mng Bach Khoa - Website: www.bkacad.com
To conduct a dictionary attack, attackers can use tools such asL0phtCrackor Cain. These programs repeatedly attempt to log in as auser using words derived from a dictionary.
Another password attack method uses rainbow tables. A rainbow tableis precomputed series of passwords which is constructed by buildingchains of possible plaintext passwords. Each chain is developed bystarting with a randomly selected "guess" of the plaintext password and
then successively applying variations on it.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
37/139
Password Attacks
Brute-force Attacks
Hc vin mng Bach Khoa - Website: www.bkacad.com
A brute-force attack tool is more sophisticated because it searches exhaustively usingcombinations of character sets to compute every possible password made up of thosecharacters.
The downside is that more time is required for completion of this type of attack. Brute-force attack tools have been known to solve simple passwords in less than a minute.Longer, more complex passwords may take days or weeks to resolve.
Note: Instead of attempting a brute force attack directly on system, crackers attempt tofirst exploit some wekness in the OS and obtain the encrypted password database, sushasshadow password fileon UNIX or theSAM databaseon Windows.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
38/139
Trust Exploitation
Hc vin mng Bach Khoa - Website: www.bkacad.com
The goal of a trust exploitation attack is to compromise a trusted host, using it to stageattacks on other hosts in a network. If a host in a network of a company is protected by afirewall (inside host), but is accessible to a trusted host outside the firewall (outside host),the inside host can be attacked through the trusted outside host.
Trust exploitation-based attacks can be mitigated through tight constraints on trust levelswithin a network, for example, private VLANs can be deployed in public-servicesegments where multiple public servers are available.
Systems on the outside of a firewall should never be absolutely trusted by systems onthe inside of a firewall. Such trust should be limited to specific protocols and should beauthenticated by something other than an IP address, where possible.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
39/139
Port Redirection
Hc vin mng Bach Khoa - Website: www.bkacad.com
A port redirection attack is a type of trust exploitation attack that uses acompromised host to pass traffic through a firewall that would otherwise beblocked.
The utility that can provide this type of access is netcat. When a system is under attack, a host-based intrusion detection system (IDS)
can help detect an attacker and prevent installation of such utilities on a host.
M i h Middl A k
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
40/139
Man-in-the-Middle Attack
Hc vin mng Bach Khoa - Website: www.bkacad.com
A man-in-the-middle (MITM) attack is carried out by attackers that manage to positionthemselves between two legitimate hosts. The attacker may allow the normaltransactions between hosts to occur, and only periodically manipulate the conversationbetween the two.
LAN MITM attacks use such tools as Ettercapand ARP poisoning. Most LAN MITMattack mitigation can usually be mitigated by configuring port security on LAN switches.
WAN MITM attack mitigation is achieved by using VPN tunnels, which allow the attackerto see only the encrypted, undecipherable text.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
41/139
3- Denial of Service (DoS)
and Distributed Denial of Service
Hc vin mng Bach Khoa - Website: www.bkacad.com
(DDoS) Attacks
D S Att k
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
42/139
DoS Attacks
Hc vin mng Bach Khoa - Website: www.bkacad.com
DoS attacks are the most publicized form of attack and also among the mostdifficult to eliminate. But because of their ease of implementation andpotentially significant damage, DoS attacks deserve special attention from
security administrators. DoS and DDoS attacks can be mitigated by implementing special anti-spoof
and anti-DoS access control lists. ISPs can also implement traffic rate, limitingthe amount of nonessential traffic that crosses network segments. A commonexample is to limit the amount of ICMP traffic that is allowed into a network,because this traffic is used only for diagnostic purposes.
D S Att k
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
43/139
DoS Attacks
Ping of Death Attack
Hc vin mng Bach Khoa - Website: www.bkacad.com
A ping of death attack gained popularity back in the late 1990s. It tookadvantage of vulnerabilities in older operating systems.
This attack modified the IP portion of a ping packet header to indicate thatthere is more data in the packet than there actually was.
A ping is normally 64 to 84 bytes, while a ping of death could be up to 65,535bytes. Sending a ping of this size may crash an older target computer.
Most networks are no longer susceptible to this type of attack.
DoS Attacks
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
44/139
DoS Attacks
SYN Flood Attack
Hc vin mng Bach Khoa - Website: www.bkacad.com
A SYN flood attack exploits the TCP three-way handshake. It involves sending multipleSYN requests (1,000+) to a targeted server. The server replies with the usual SYN-ACKresponse, but the malicious host never responds with the final ACK to complete thehandshake. This ties up the server until it eventually runs out of resources and cannot
respond to a valid host request. Other types of DoS attacks include: E-mail bombs - Programs send bulk e-mails to individuals, lists, or domains,
monopolizing e-mail services. Malicious applets - These attacks are Java, JavaScript, or ActiveX programs that
cause destruction or tie up computer resources.
DDos Attacks
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
45/139
DDos Attacks
Hc vin mng Bach Khoa - Website: www.bkacad.com
Distributed DoS (DDoS) attacks are designed to saturate network links with illegitimatedata. This data can overwhelm an Internet link, causing legitimate traffic to be dropped.
DDoS uses attack methods similar to standard DoS attacks, but operates on a muchlarger scale. Typically, hundreds or thousands of attack points attempt to overwhelm atarget.
Examples of DDoS attacks include the following: SMURF attack Tribe flood network (TFN) Stacheldraht MyDoom
DDos Attacks
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
46/139
DDos Attacks
Smurf Attack
Hc vin mng Bach Khoa - Website: www.bkacad.com
The Smurf attack uses spoofed broadcast ping messages to flood atarget system. It starts with an attacker sending a large number of
ICMP echo requests to the network broadcast address from validspoofed source IP addresses. Turning off directed broadcast capability in the network infrastructure
prevents the network from being used as a bounce site. Directedbroadcast capability is now turned off by default in Cisco IOS softwaresince version 12.0.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
47/139
-
Hc vin mng Bach Khoa - Website: www.bkacad.com
Malicious Code Attacks
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
48/139
Malicious Code Attacks
Hc vin mng Bach Khoa - Website: www.bkacad.com
The primary vulnerabilities for end-user workstations are worm, virus, andTrojan horse attacks. A worm executes code and installs copies of itself in the memory of the
infected computer, which can, in turn, infect other hosts.
A virus is malicious software that is attached to another program for thepurpose of executing a particular unwanted function on a workstation. A Trojan horse is different from a worm or virus only in that the entire
application was written to look like something else, when in fact it is anattack tool.
Malicious Code Attacks
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
49/139
Malicious Code Attacks
Worms Attack
Hc vin mng Bach Khoa - Website: www.bkacad.com
The anatomy of a worm attack is as follows: The enabling vulnerability -A worm installs itself by exploiting known
vulnerabilities in systems, such as naive end users who open unverifiedexecutable attachments in e-mails.
Propagation mechanism -After gaining access to a host, a worm copiesitself to that host and then selects new targets. Payload -Once a host is infected with a worm, the attacker has access to
the host, often as a privileged user. Attackers could use a local exploit toescalate their privilege level to administrator.
Malicious Code Attacks
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
50/139
Malicious Code Attacks
Worms Attack
Hc vin mng Bach Khoa - Website: www.bkacad.com
The following are the recommended steps for worm attack mitigation: Containment -Contain the spread of the worm in and within the network.
Compartmentalize uninfected parts of the network. Inoculation -Start patching all systems and, if possible, scanning for
vulnerable systems. Quarantine -Track down each infected machine inside the network.
Disconnect, remove, or block infected machines from the network. Treatment -Clean and patch each infected system. Some worms may
require complete core system reinstallations to clean the system.
Malicious Code Attacks
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
51/139
Malicious Code Attacks
Viruses and Trojan Horses
Hc vin mng Bach Khoa - Website: www.bkacad.com
A virus is malicious software that is attached to another program toexecute a particular unwanted function on a workstation. A Trojan horse is different only in that the entire application was
written to look like something else, when in fact it is an attack tool.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
52/139
General Mi i a ion Techni ues
Hc vin mng Bach Khoa - Website: www.bkacad.com
Device Hardening
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
53/139
Device Hardening
Hc vin mng Bach Khoa - Website: www.bkacad.com
When a new operating system is installed on a computer, the security settings are set tothe default values. In most cases, this level of security is inadequate.
There are some simple steps that should be taken that apply to most operating systems: Default usernames and passwords should be changed immediately. Access to system resources should be restricted to only the individuals that are
authorized to use those resources. Any unnecessary services and applications should be turned off and uninstalled,
when possible.
Antivirus Software
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
54/139
Antivirus Software
Hc vin mng Bach Khoa - Website: www.bkacad.com
Install host antivirus software to protect against known viruses. Antivirus software candetect most viruses and many Trojan horse applications, and prevent them fromspreading in the network.
Antivirus software does this in two ways: It scans files, comparing their contents to known viruses in a virus dictionary.
Matches are flagged in a manner defined by the end user. It monitors suspicious processes running on a host that might indicate infection. This
monitoring may include data captures, port monitoring, and other methods.
Personal Firewall
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
55/139
e so a e a
Hc vin mng Bach Khoa - Website: www.bkacad.com
Personal computers connected to the Internet through a dialup connection,DSL, or cable modems are as vulnerable as corporate networks.
Personal firewalls reside on the PC of the user and attempt to prevent attacks.Personal firewalls are not designed for LAN implementations, such asappliance-based or server-based firewalls, and they may prevent networkaccess if installed with other networking clients, services, protocols, oradapters.
Operating System Patches
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
56/139
p g y
Hc vin mng Bach Khoa - Website: www.bkacad.com
The most effective way to mitigate a worm and its variants is to downloadsecurity updates from the operating system vendor and patch all vulnerablesystems. This is difficult with uncontrolled user systems in the local network,and even more troublesome if these systems are remotely connected to thenetwork via a virtual private network (VPN) or remote access server (RAS).
Intrusion Detection and Prevention
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
57/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Intrusion detection systems (IDS) detect attacks against a network and send logs to amanagement console.
Intrusion prevention systems (IPS) prevent attacks against the network and shouldprovide the following active defense mechanisms in addition to detection: Prevention -Stops the detected attack from executing. Reaction -Immunizes the system from future attacks from a malicious source.
Either technology can be implemented at a network level or host level, or both formaximum protection.
Host-based Intrusion Detection Systems
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
58/139
y
Hc vin mng Bach Khoa - Website: www.bkacad.com
Host-based intrusion is typically implemented as inline or passive technology, dependingon the vendor.1. Passive technology, which was the first generation technology, is called a host-
based intrusion detection system (HIDS). HIDS sends logs to a managementconsole after the attack has occurred and the damage is done.2. Inline technology, called a host-based intrusion prevention system (HIPS),
actually stops the attack, prevents damage, and blocks the propagation of wormsand viruses.
Cisco provides HIPS using the Cisco Security Agent software. HIPS software must be installed on each host, either the server or desktop, to monitor
activity performed on and against the host.
Common Security Appliances and Applications
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
59/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Security is a top consideration whenever planning a network. In the past, the one device that would come to mind for network security was the firewall.
A firewall by itself is no longer adequate for securing a network. An integrated approach involving firewall, intrusion prevention, and VPN is necessary. An integrated approach to security, and the necessary devices to make it happen,
follows these building blocks: Threat control
Secure communications Network admission control (NAC) Cisco ASA 5500 Series Adaptive Security Appliance Cisco IPS 4200 Series Sensors Cisco NAC Appliance Cisco Security Agent (CSA)
The Network Security Wheel
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
60/139
To begin the Security Wheel process,first develop a security policy thatenables the application of securitymeasures. A security policy includes
the following: Identifies the security objectives of
the organization.
Hc vin mng Bach Khoa - Website: www.bkacad.com
protected.
Identifies the networkinfrastructure with current mapsand inventories.
Identifies the critical resources
that need to be protected, such asresearch and development,finance, and human resources.This is called a risk analysis.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
61/139
The En er rise Securi Polic
Hc vin mng Bach Khoa - Website: www.bkacad.com
What is a Security Policy?
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
62/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
A security policy benefits an organization in the following ways:
Provides a means to audit existing network security and compare the requirementsto what is in place. Plan security improvements, including equipment, software, and procedures. Defines the roles and responsibilities of the company executives, administrators,
and users. Defines which behavior is and is not allowed.
Defines a process for handling network security incidents. Enables global security implementation and enforcement by acting as a standardbetween sites.
Creates a basis for legal action if necessary.
Functions of a Security Policy
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
63/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
The security policy is for everyone, including employees, contractors,suppliers, and customers who have access to the network. However,the security policy should treat each of these groups differently. Eachgroup should only be shown the portion of the policy appropriate totheir work and level of access to the network.
Components of a Security Policy
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
64/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
The SANS Institute (http://www.sans.org) provides guidelinesdeveloped in cooperation with a number of industry leaders, includingCisco, for developing comprehensive security policies for organizationslarge and small. Not all organizations need all of these policies.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
65/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
The Role of Routers in Network Security
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
66/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Router security is a critical element in any security deployment. Routers aredefinite targets for network attackers.
If an attacker can compromise and access a router, it can be a potential aid tothem. Knowing the roles that routers fulfill in the network helps you understandtheir vulnerabilities.
Routers fulfill the following roles: Advertise networks and filter who can use them. Provide access to network segments and subnetworks.
Routers are Targets
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
67/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Because routers provide gateways to other networks, they are obvious targets, and aresubject to a variety of attacks.
Here are some examples of various security problems:
Compromising the access control can expose network configuration details, therebyfacilitating attacks against other network components. Compromising the route tables can reduce performance, deny network
communication services, and expose sensitive data. Misconfiguring a router traffic filter can expose internal network components to
scans and attacks, making it easier for attackers to avoid detection.
Routers are Targets
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
68/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Attackers can compromise routers in different ways, so there is no singleapproach that network administrators can use to combat them. The ways that routers are compromised are similar to the types of attacks youlearned about earlier in this chapter, including trust exploitation attacks, IPspoofing, session hijacking, and MITM attacks.
Securing Your Network
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
69/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Securing routers at the network perimeter is an important first step in securing thenetwork.
Think about router security in terms in these categories:
Physical security Update the router IOS whenever advisable Backup the router configuration and IOS Harden the router to eliminate the potential abuse of unused ports and services
Applying Cisco IOS Security Features to Routers
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
70/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Before you configure security features on a router, youneed a plan for all the Cisco IOS security configurationsteps.
Manager Router Security
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
71/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Basic router security consists of configuring passwords. A strong password isthe most fundamental element in controlling secure access to a router. For thisreason, strong passwords should always be configured.
A recommended method for creating strong complex passwords is to usepassphrases. A passphrase is basically a sentence or phrase that serves as amore secure password. Make sure that the phrase is long enough to be hard toguess but easy to remember and type accurately.
Note: Password-leading spaces are ignored, but all spaces after the firstcharacter are not ignored.
Configuring Router Passwords
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
72/139
By default, Cisco IOS software leaves passwords in plain text whenthey are entered on a router. This is not secure since anyone walkingbehind you when you are looking at a router configuration could snoopover your shoulder and see the password.
For example: R1(config)# username Student password cisco123 R1(config)# do show run | include username
username Student password 0 cisco123
Hc vin mng Bach Khoa - Website: www.bkacad.com
R1(config)#
The 0 displayed in the running configuration, indicates that passwordis not hidden. Cisco IOS provides 2 password protection schemes:
1. Simple encryption called a type 7 scheme. It uses the Cisco-defined encryption algorithm and will hide the password using
a simple encryption algorithm.2. Complex encryption called a type 5 scheme. It uses a more
secure MD5 hash.
Configuring Router Passwords
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
73/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
The type 7 encryption can be used by the enable password, username, andline password commands including vty, line console, and aux port. It does not
offer very much protection as it only hides the password using a simpleencryption algorithm. Although not as secure as the type 5 encryption, it is stillbetter than no encryption.
To encrypt passwords using type 7 encryption, use the service password-encryption global configuration command as displayed in the figure.
Configuring Router Passwords
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
74/139
R1(config)# username Student secret cisco
Hc vin mng Bach Khoa - Website: www.bkacad.com
Cisco recommends that Type 5 encryption be used instead of Type 7 wheneverpossible. MD5 encryption is a strong encryption method. It should be used wheneverpossible. It is configured by replacing the keyword password with secret.
A router will always use the secret password over the enable password. For this reason,the enable password command should never be configured as it may give away asystem password.
Note: Some processes may not be able to use type 5 encrypted passwords. Forexample, PAP and CHAP require clear text passwords and cannot use MD5 encryptedpasswords.
username Student secret 5
$1$z245$lVSTJzuYgdQDJiacwP2Tv/R1(config)#
Configuring Router Passwords
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
75/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Cisco IOS Software Release 12.3(1) and later allow administrators toset the minimum character length for all router passwords using thesecurity passwords min-length global configuration command, as
shown in the figure. This command affects any new user passwords, enable passwordsand secrets, and line passwords created after the command wasexecuted. The command does not affect existing router passwords.
Securing Administrative Access to Routers
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
76/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
To secure administrative access to routers and switches, first you willsecure the administrative lines (VTY, AUX), then you will configure thenetwork device to encrypt traffic in an SSH tunnel.
Remote Administrative Access with Telnet and SSH
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
77/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Remote Administrative Access with Telnet and SSH
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
78/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Another useful tactic is to configure VTY timeouts using the exec-timeout
command. This prevents an idle session from consuming the VTY indefinitely.Although its effectiveness against deliberate attacks is relatively limited, itprovides some protection against sessions accidentally left idle.
Similarly, enabling TCP keepalives on incoming connections by using theservice tcp-keepalives-in command can help guard against both maliciousattacks and orphaned sessions caused by remote system crashes.
Implementing SSH to Secure Remote Administrative Access
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
79/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
SSH has replaced Telnet as the best practice for providing remote routeradministration with connections that support strong privacy and sessionintegrity. SSH uses port TCP 22.
Not all Cisco IOS images support SSH. Only cryptographic images can.Typically, these images have image IDs of k8or k9in their image names. Cisco routers are capable of acting as the SSH client and server. By default,
both of these functions are enabled on the router when SSH is enabled. As aclient, a router can SSH to another router. As a server, a router can acceptSSH client connections.
Configuring SSH Security
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
80/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
To enable SSH on the router, the following parameters must be configured: Hostname
Domain name Asymmetrical keys Local authentication
Optional configuration parameters include: Timeouts Retries
Configuring SSH Security
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
81/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Configuring SSH Security
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
82/139
Activity 4.2.4.5
Hc vin mng Bach Khoa - Website: www.bkacad.com
Logging Router Activity
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
83/139
R2(config)#service timestamps ?debug Timestamp debug messageslog Timestamp log messagesR2(config)#service timestamps
Hc vin mng Bach Khoa - Website: www.bkacad.com
Logs allow you to verify that a router is working properly or to determine whether therouter has been compromised.
In some cases, a log can show what types of probes or attacks are being attemptedagainst the router or the protected network.
A syslog server provides a better solution because all network devices can forward theirlogs to one central station where an administrator can review them. An example of asyslog server application is Kiwi Syslog Daemon.
Accurate time stamps are important to logging. Time stamps allow you to trace networkattacks more credibly.
A Network Time Protocol (NTP) server may have to be configured to provide asynchronized time source for all devices
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
84/139
Secure Router Network Services
Hc vin mng Bach Khoa - Website: www.bkacad.com
Vulnerable Router Services and Interfaces
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
85/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Vulnerable Router Services and Interfaces
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
86/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Vulnerable Router Services and Interfaces
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
87/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
SNMP, NTP, and DNS Vulnerabilities
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
88/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Versions of SNMP prior to version 3 shuttle information in clear text. Normally,SNMP version 3 should be used.
Disabling NTP on an interface does not prevent NTP messages fromtraversing the router. To reject all NTP messages at a particular interface, usean access list.
Turn off DNS name resolution with the command no ip domain-lookup. It isalso a good idea to give the router a name, using the command hostname.
Routing Protocol Authentication Overview
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
89/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
In general, routing systems can be attacked in two ways:1. Disruption of peers
2. Falsification of routing information A straightforward way to attack the routing system is to attack the routers
running the routing protocols, gain access to the routers and inject falseinformation. Be aware that anyone "listening" can capture routing updates.
Routing Protocol Authentication Overview
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
90/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
The figure shows how each router in the update chain creates a signature. The threecomponents of such a system include: 1. Encryption algorithm, which is generally public knowledge 2. Key used in the encryption algorithm, which is a secret shared by the routers
authenticating their packets 3. Contents of the packet itself
Configuring RIPv2 with Routing Protocol Authentication
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
91/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Overview of Routing Protocol Authentication for EIGRPand OSPF
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
92/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Locking Down Your Router with Cisco Auto Secure
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
93/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Cisco AutoSecure uses a single command to disable non-essential system processesand services, eliminating potential security threats.
You can configure AutoSecure in privileged EXEC mode using the auto securecommand in one of these two modes:1. Interactive mode - This mode prompts you with options to enable and
disable services and other security features. This is the default mode.2. Non-interactive mode - This mode automatically executes the auto secure
command with the recommended Cisco default settings. This mode isenabled with the no-interact command option.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
94/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
What is Cisco SDM?
The Cisco Router and
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
95/139
The Cisco Router andSecurity Device Manager(SDM) is an easy-to-use,web-based device-management tool designedfor configuring LAN, WAN,and security features onCisco IOS software-based
Hc vin mng Bach Khoa - Website: www.bkacad.com
routers.
The SDM files can beinstalled on the router, aPC, or on both. Anadvantage of installingSDM on the PC is that itsaves router memory, andallows you to use SDM tomanage other routers onthe network.
Cisco SDM Features
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
96/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Cisco SDM smart wizards can intelligently detect incorrectconfigurations and propose fixes, such as allowing DHCP trafficthrough a firewall if the WAN interface is DHCP-addressed.
Online help embedded within Cisco SDM contains appropriatebackground information, in addition to step-by-step procedures to helpusers enter correct data in Cisco SDM.
Configuring Your Router to Support Cisco SDM
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
97/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Starting Cisco SDM
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
98/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Cisco SDM Home Page Overview
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
99/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
About Your Router Area
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
100/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Configuration Overview Area
Interfaces and Connections
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
101/139
Firewall Policies
VPN
View Running Config
Hc vin mng Bach Khoa - Website: www.bkacad.com
Routing Intrusion Prevention
Cisco SDM Wizards
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
102/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Check http://www.cisco.com/go/sdm for the latest information about the CiscoSDM wizards and the interfaces they support.
http://www.cisco.com/cdc_content_elements/flash/sdm/demo.htm?NO_NAV
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
103/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Locking Down a Router with Cisco SDM
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
104/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
AutoSecure features that are implemented differently in Cisco SDM includethe following:
1. Disables SNMP, and does not configure SNMP version 3.2. Enables and configures SSH on crypto Cisco IOS images3. Does not enable Service Control Point or disable other access and
file transfer services, such as FTP.
Locking Down a Router with Cisco SDM
Refer to 4.4.6
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
105/139
Refer to 4.4.6
Hc vin mng Bach Khoa - Website: www.bkacad.com
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
106/139
Secure Router Mana ement
Hc vin mng Bach Khoa - Website: www.bkacad.com
Maintaining Cisco IOS Software Image
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
107/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
An update replaces one release with another without upgrading the
feature set. The software might be updated to fix a bug or to replace arelease that is no longer supported. Updates are free. An upgrade replaces a release with one that has an upgraded feature
set. The software might be upgraded to add new features ortechnologies, or replace a release that is no longer supported.Upgrades are not free.
Maintaining Cisco IOS Software Image
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
108/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Cisco recommends following a four-phase migration process to simplifynetwork operations and management. When you follow a repeatable process, you can also benefit from reducedcosts in operations, management, and training.
The four phases are:1. Plan -Set goals, identify resources, profile network hardware and
software, and create a preliminary schedule for migrating to new
releases.2. Design -Choose new Cisco IOS releases and create a strategy formigrating to the releases.
3. Implement -Schedule and execute the migration.4. Operate -Monitor the migration progress and make backup copies of
images that are running on your network.
Maintaining Cisco IOS Software Image
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
109/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
There are a number of tools available on Cisco.com to aid in migrating Cisco IOSsoftware. You can use the tools to get information about releases, feature sets,platforms, and images. The following tools do not require a Cisco.com login:
1. Cisco IOS Reference Guide -Covers the basics of the Cisco IOS software
family2. Cisco IOS software technical documents -Documentation for each release
of Cisco IOS software3. Software Center -Cisco IOS software downloads4. Cisco IOS Software Selector -Finds required features for a given
technology
Maintaining Cisco IOS Software Image
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
110/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
The following tools require valid Cisco.com login accounts:1. Bug Toolkit -Searches for known software fixes based on software version,
feature set, and keywords2. Cisco Feature Navigator -Finds releases that support a set of software
features and hardware, and compares releases3. Software Advisor -Compares releases, matches Cisco IOS software and
Cisco Catalyst OS features to releases, and finds out which software releasesupports a given hardware device
4. Cisco IOS Upgrade Planner -Finds releases by hardware, release, andfeature set, and downloads images of Cisco IOS software
Cisco IOS File Systems and Devices
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
111/139
An asterisks (*) indicatesthat this is the current
The pound symbol (#)indicatesthat this is a bootable disk.
Hc vin mng Bach Khoa - Website: www.bkacad.com
Cisco IOS devices provide a feature called the Cisco IOS IntegratedFile System (IFS). This system allows you to create, navigate, and
manipulate directories on a Cisco device. The directories availabledepend on the platform. Although there are several file systems listed, of interest to us will be
the tftp, flash and nvram file systems. Network file systems include using FTP, trivial FTP (TFTP), or Remote
Copy Protocol (RCP).
e au t e system.
Cisco IOS File Systems and Devices
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
112/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Cisco IOS File Systems and Devices
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
113/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
To view the contents of NVRAM, you must change the current defaultfile system using the cd change directory command.
The pwd present working directory command verifies that we arelocated in the NVRAM directory. Finally, the dir command lists the contents of NVRAM.
URL Prefixes for Cisco Devices
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
114/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
115/139
Cisco IOS File Naming Conventions
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
116/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Other feature set possibilities include: i - Designates the IP feature set
j - Designates the enterprise feature set (all protocols)s - Designates aPLUS feature set (extra queuing, manipulation, or translations)
56i - Designates 56-bit IPsec DES encryption 3 - Designates the firewall/IDS
k2 - Designates the 3DES IPsec encryption (168 bit)
Using TFTP Servers to Manage IOS Images
Before changing a Cisco IOSimage on the router, you need tocomplete these tasks:
Determine the memory
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
117/139
Determine the memoryrequired for the update and,if necessary, installadditional memory.
Set up and test the filetransfer capability betweenthe administrator host andthe router.
Schedule the required
Hc vin mng Bach Khoa - Website: www.bkacad.com
When you are ready to do the update, carry out these steps: Shut down all interfaces on the router not needed to perform the update. Back up the current operating system and the current configuration file to a TFTP
server. Load the update for either the operating system or the configuration file. Test to confirm that the update works properly. If the tests are successful, you can
then re-enable the interfaces you disabled. If the tests are not successful, back outthe update, determine what went wrong, and start again.
,of business hours, for therouter to perform the
update.
Backing Up IOS Software Image
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
118/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Upgrading IOS Software Images
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
119/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Note: Make sure that the Cisco IOS image loaded is appropriate forthe router platform. If the wrong Cisco IOS image is loaded, the routercould be made unbootable, requiring ROM monitor (ROMmon)intervention.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
120/139
Recovering Software Images
Hc vin mng Bach Khoa - Website: www.bkacad.com
Restoring IOS Software Images
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
121/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Using xmodem to Restore an IOS Image
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
122/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
123/139
Troubleshooting Cisco IOS
Hc vin mng Bach Khoa - Website: www.bkacad.com
Cisco IOS Troubleshooting Commands
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
124/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
The debug command allows you to trace the execution ofa process.
Use the show command to verify configurations.
Using the show Command
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
125/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
The show command displays static information. Use show commands when gathering facts for isolating problems in an
internetwork, including problems with interfaces, nodes, media,servers, clients, or applications.
The Cisco IOS command guide lists 1,463 show commands.
Using the debug Command
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
126/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
By default, the network server sends the output from debugcommands and system error messages to the console. Remember thatyou can redirect debug output to a syslog server.
Note: Debugging output is assignedhigh priorityin the CPU processqueue and can therefore interfere with normal production processes ona network. For this reason, usedebugcommands during quiet hoursand only to troubleshoot specific problems.
Considerations when using the debug Command
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
127/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
With proper, selective, and temporary use of debugcommands, you can obtain potentially useful informationwithout needing a protocol analyzer or other third-party
tool.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
128/139
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
129/139
Recoverin
Hc vin mng Bach Khoa - Website: www.bkacad.com
a Lost Router Password
About Password Recovery
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
130/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Have you ever forgotten the password to a router? Maybe not, but sometime in yourcareer, you can expect someone to forget, and you will need to recover it. In a router, a configuration register, represented by a single hexadecimal value, tells the
router what specific steps to take when powered on. Configuration registers have manyuses, and password recovery is probably the most used.
Router Password Recovery Procedure
Step 1. Connect to the console port. Step 2. If you have lost the enable password, you would still haveaccess to user EXEC mode. Type show version at the prompt, and
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
131/139
record the configuration register setting.
Step 3. Use the power switch to turn off the router, and then turn therouter back on.
Step 4. Press Break on the terminal keyboard within 60 seconds of
Hc vin mng Bach Khoa - Website: www.bkacad.com
.
Step 5. Type confreg 0x2142 at the rommon 1> prompt. This causes
the router to bypass the startup configuration where the forgottenenable password is stored.
Step 6. Type reset at the rommon 2> prompt. The router reboots, butignores the saved configuration.
Step 7. Type no after each setup question, or press Ctrl-C to skip theinitial setup procedure.
Step 8. Type enable at the Router> prompt. This puts you into enablemode, and you should be able to see the Router# prompt.
Router Password Recovery Procedure
Step 9. Type copy startup-config running-config to copy theNVRAM into memory. Be careful! Do not type copy running-configstartup-config or you will erase your startup configuration.
Step 10 Type show running-config
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
132/139
Step 10. Type show running config. Step 11. Type configure terminal. The hostname(config)# prompt
appears. Step 12. Type enable secret passwordto change the enable secretpassword. For example:
Hc vin mng Bach Khoa - Website: www.bkacad.com
Step 13. Issue the no shutdown command on every interface that you
want to use. Step 14. Type config-register configuration_register_setting. Theconfiguration_register_settingis either the value you recorded inStep 2 or 0x2102 . For example:R1(config)#config-register 0x2102
Step 15. Press Ctrl-Z or type end to leave configuration mode. Thehostname# prompt appears. Step 16. Type copy running-config startup-config to commit the
changes.
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
133/139
Router Password Recovery Procedure
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
134/139
Hc vi
n m
ng Bach Khoa - Website: www.bkacad.com
Router Password Recovery Procedure
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
135/139
Hc vi
n m
ng Bach Khoa - Website: www.bkacad.com
Router Password Recovery Procedure
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
136/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Labs
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
137/139
Hc vin mng Bach Khoa - Website: www.bkacad.com
Summary
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
138/139
-
8/3/2019 CCNA Exp4 - Chapter04 - Network Security
139/139
Hc vin mng Bach Khoa - Website: www.bkacad.com